|
| 1 | +# Microsoft Sentinel - QRadar Migration Data Collector |
| 2 | + |
| 3 | +**Version: 0.3.2** |
| 4 | + |
| 5 | +## Overview |
| 6 | + |
| 7 | +The QRadar Migration Data Collector extracts custom detection rules and building blocks from IBM QRadar SIEM and converts them into a migration-ready format for Microsoft Sentinel. |
| 8 | + |
| 9 | +## Prerequisites |
| 10 | + |
| 11 | +- **Python 3** (latest stable release recommended; minimum 3.6) |
| 12 | +- **QRadar authorized service token** with Admin privileges. [See QRadar documentation] |
| 13 | +- **curl** (only required when using `--use-curl` on Python 2.7.5–2.7.8) |
| 14 | + |
| 15 | +> **Python 2.7 note:** Python 2.7 is end-of-life and no longer receives security patches. The script supports Python 2.7.5+ only for running directly on older QRadar consoles where Python 3 is not available. If possible, run the script from a separate host with Python 3 instead. |
| 16 | +
|
| 17 | +## Getting Started |
| 18 | + |
| 19 | +1. Create an Authorized Token in the QRadar UI. [See the documenation for more information](https://www.ibm.com/docs/qradar-common?topic=configuration-creating-authorized-service-token). |
| 20 | +2. Copy the token for use when running the script |
| 21 | +<div style="page-break-before: always;"></div> |
| 22 | + |
| 23 | +## Usage Example |
| 24 | + |
| 25 | +```bash |
| 26 | +python3 qradar_collector.py --host 10.1.0.10 |
| 27 | +``` |
| 28 | + |
| 29 | +The script will prompt for your API token securely (input is hidden). |
| 30 | + |
| 31 | +This will create a CSV file named `qradar_rules_YYYYMMDDHHMMSS.csv` containing rules with calculated migration columns. |
| 32 | + |
| 33 | +## Command-Line Options |
| 34 | + |
| 35 | +| Option | Description | |
| 36 | +|--------|-------------| |
| 37 | +| `-h`, `--help` | Show help message and exit | |
| 38 | +| `--host HOST` | QRadar console hostname or IP | |
| 39 | +| `--api-version API_VERSION` | QRadar API version (default: latest) | |
| 40 | +| `--skip-ssl-verify` | Disable SSL certificate verification for self-signed certificates. See warning below. | |
| 41 | +| `--use-curl` | Use curl for HTTP calls (required on Python 2.7.5–2.7.8) | |
| 42 | +| `--output-dir OUTPUT_DIR` | Directory for final CSV output files (default: current directory) | |
| 43 | +| `--cache-dir PATH` | Path to previously collected data for offline replay (read-only) | |
| 44 | +| `--log-sources` | Generate standalone active log sources inventory CSV | |
| 45 | +| `--active-days DAYS` | Days of inactivity before a log source is excluded (default: 7) | |
| 46 | +| `--debug` | Retain workspace folder and log file on exit | |
| 47 | +| `--batch-size SIZE` | Batch size for paginated API calls (default: auto-detected) | |
| 48 | + |
| 49 | +> [!WARNING] |
| 50 | +> `--skip-ssl-verify` disables TLS certificate validation. This removes server identity verification and can allow QRadar impersonation, API token interception, and response tampering by a malicious proxy or other on-path attacker. Use only on a trusted management network and trusted QRadar host. |
| 51 | +
|
| 52 | +## Running Locally on QRadar Console |
| 53 | + |
| 54 | +Older QRadar appliances typically have Python 2.7.5 installed, which lacks native TLS 1.2 support in the `ssl` module. Use the `--use-curl` flag to work around this limitation. Some QRadar consoles also use self-signed certificates, which is why `--skip-ssl-verify` is shown below: |
| 55 | + |
| 56 | +```bash |
| 57 | +python qradar_collector.py --host localhost --use-curl --skip-ssl-verify |
| 58 | +``` |
0 commit comments